package com.hushan.elevator.config;

import com.hushan.elevator.security.filter.JwtAuthenticationFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

import static org.springframework.security.config.Customizer.withDefaults;

@Configuration
@EnableMethodSecurity(prePostEnabled = true) // 开启注解权限验证
public class SpringSecurityConfig {
    // encoder
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public JwtAuthenticationFilter jwtAuthenticationFilter() {
        return new JwtAuthenticationFilter();
    }

//
    @Bean
    public SecurityFilterChain FilterChain(HttpSecurity http) throws Exception {
        RequestMatcher[] allPermittedRequest = new RequestMatcher[]{
                new AntPathRequestMatcher("/user/login","POST"),
                new AntPathRequestMatcher("/user/captcha","GET"),
                new AntPathRequestMatcher("/ws/**"), // from device websocket
                new AntPathRequestMatcher("/websocket/**"),
                new AntPathRequestMatcher("/d/**"), // from device event and picture listen
                new AntPathRequestMatcher("/swagger-ui/**"),
                new AntPathRequestMatcher("/v3/api-docs/**"),
        };

        // all url are limited to be authenticated
        http.authorizeHttpRequests(
                authorize -> authorize
                        .requestMatchers(allPermittedRequest).permitAll()
                        // authorize control
                        .requestMatchers("/user/test").hasAuthority("author")
                        .anyRequest().authenticated()
        ).csrf(AbstractHttpConfigurer::disable).addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
        http.cors(withDefaults());

        return http.build();
    }

//    @Bean
//    @Order(1)
//    public SecurityFilterChain SwaggerChain(HttpSecurity http) throws Exception {
//        RequestMatcher[] allPermittedRequest = new RequestMatcher[]{
//                new AntPathRequestMatcher("/swagger-ui/**"),
//                new AntPathRequestMatcher("/v3/api-docs/swagger-config"),
//        };
//
//        // all url are limited to be authenticated
//        http.securityMatchers().authorizeHttpRequests(
//                authorize -> authorize
//                        .anyRequest().anonymous()
//        );
//        return http.build();
//    }
}
